MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85fae09c728982b41695a32e986eb3e5974899946c89e5ee74c88611253bdf82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85fae09c728982b41695a32e986eb3e5974899946c89e5ee74c88611253bdf82
SHA3-384 hash: 2d480fd1801093e709e005585097810d04a92b1f1c59c39ef3649732a605b31f8cb7b65eb50a56fbdaa0d8c923b63440
SHA1 hash: 003b11f2e6c0ba2f3d5a09b9c387f1010ad40b92
MD5 hash: 36b5347b3faf3f2593b3c2abb092a40d
humanhash: solar-pennsylvania-eighteen-item
File name:SecuriteInfo.com.Trojan.Siggen9.41542.19714.24481
Download: download sample
Signature Loki
Create hunting rule
File size:626'176 bytes
First seen:2020-04-22 16:56:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash aa88a033e640f5e2cd9ec14c2ef177fc (1 x NanoCore, 1 x AgentTesla, 1 x Loki)
ssdeep 12288:/eHavhRELfTHxWrYsr2xQon7PByGpRyDD/WZCKiklQAPzc1/R2RN1:YOMb3dnjMCEeZOEQh1/RC
Threatray 1'484 similar samples on MalwareBazaar
TLSH E6D49F27F6B08837C122167D5D5B576C983AFE012A3D26462FF81D4CAF396C2396B187
Reporter SecuriteInfoCom
Tags:Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.41542.19714.24481.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-22 14:16:51 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qx5obhdsrgblifuvumxjq3vt4wlurgmunse6l3tuzcdbcjj336ba._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
3552b7385b710b24ba5f643226a26b22a48c7b3f1a64f55bd044981b7ee46015
Loki
7a7438886a3a9e9ca3b2187509ee26856f7befb671bd8a9fd35502c8e07d00f5
Loki
7b5294de28e02b4e0761778ca38ec8ee9b7770c3931912acd757e42e5a21a69f
Loki
87435dd1a14d8a428088bcca64f19da8c6d7cc9d6a1c0cbc70cee30df36dbd25
Loki
b69c69a4e61c0aa4eb601eae795266fcfec4c4e691142afe306289fb2a8fa69a
Loki
b8548946fc96a88d34f38da2d319bd507dbc6e5a7295800abfba4b34c0671e7d
Loki
c659ef91b7e46bf83528543fd14dfb2a117a2a12df4258f8025f98888c79c97f
Loki
d404a04c648fc2966698a40775202d64e252e088aabcf0c447debbd3e347682f
Loki
d7ad8d33106a13111a1ad34620f269d77f5968aa6057228d54c5559a0c97ce24
Loki
e63f29324ba77f9c16f9d079c7fbf7235b71d8a1011e9dc0d4004f63381ab228
Loki
+ 1'474 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 85fae09c728982b41695a32e986eb3e5974899946c89e5ee74c88611253bdf82

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/348175/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::FindFirstFileA
kernel32.dll::GetTempPathA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments